diff --git a/BUILD b/BUILD
index c569482d853..90649cab771 100644
--- a/BUILD
+++ b/BUILD
@@ -325,6 +325,7 @@ grpc_cc_library(
public_hdrs = GRPC_PUBLIC_HDRS + GRPC_SECURE_PUBLIC_HDRS,
standalone = True,
deps = [
+ "grpc_authorization_engine",
"grpc_common",
"grpc_lb_policy_cds_secure",
"grpc_lb_policy_eds_secure",
@@ -1864,6 +1865,9 @@ grpc_cc_library(
"src/core/lib/security/authorization/mock_cel/activation.h",
"src/core/lib/security/authorization/mock_cel/cel_value.h",
],
+ external_deps = [
+ "absl/container:flat_hash_set",
+ ],
language = "c++",
deps = [
"envoy_ads_upb",
diff --git a/BUILD.gn b/BUILD.gn
index 39b3de12650..dff49edae1a 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -788,6 +788,12 @@ config("grpc_config") {
"src/core/lib/json/json.h",
"src/core/lib/json/json_reader.cc",
"src/core/lib/json/json_writer.cc",
+ "src/core/lib/security/authorization/authorization_engine.cc",
+ "src/core/lib/security/authorization/authorization_engine.h",
+ "src/core/lib/security/authorization/evaluate_args.cc",
+ "src/core/lib/security/authorization/evaluate_args.h",
+ "src/core/lib/security/authorization/mock_cel/activation.h",
+ "src/core/lib/security/authorization/mock_cel/cel_value.h",
"src/core/lib/security/context/security_context.cc",
"src/core/lib/security/context/security_context.h",
"src/core/lib/security/credentials/alts/alts_credentials.cc",
@@ -1003,6 +1009,7 @@ config("grpc_config") {
":absl/strings:strings",
":absl/status:status",
":absl/container:inlined_vector",
+ ":absl/container:flat_hash_set",
"//third_party/cares",
":address_sorting",
]
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6d679bf6092..5018904956e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -103,14 +103,19 @@ set_property(CACHE gRPC_ABSL_PROVIDER PROPERTY STRINGS "module" "package")
set(gRPC_ABSL_USED_TARGETS
absl_algorithm
+ absl_algorithm_container
absl_atomic_hook
absl_bad_optional_access
+ absl_bad_variant_access
absl_base
absl_base_internal
absl_bits
+ absl_city
absl_civil_time
absl_compressed_tuple
absl_config
+ absl_container_common
+ absl_container_memory
absl_cord
absl_core_headers
absl_debugging_internal
@@ -118,17 +123,27 @@ set(gRPC_ABSL_USED_TARGETS
absl_dynamic_annotations
absl_endian
absl_errno_saver
+ absl_exponential_biased
absl_fixed_array
+ absl_flat_hash_set
absl_function_ref
absl_graphcycles_internal
+ absl_hash
+ absl_hash_function_defaults
+ absl_hash_policy_traits
+ absl_hashtable_debug_hooks
+ absl_hashtablez_sampler
+ absl_have_sse
absl_inlined_vector
absl_inlined_vector_internal
absl_int128
absl_kernel_timeout_internal
+ absl_layout
absl_log_severity
absl_malloc_internal
absl_memory
absl_optional
+ absl_raw_hash_set
absl_raw_logging_internal
absl_span
absl_spinlock_wait
@@ -145,6 +160,7 @@ set(gRPC_ABSL_USED_TARGETS
absl_time_zone
absl_type_traits
absl_utility
+ absl_variant
absl_meta
)
@@ -795,6 +811,7 @@ if(gRPC_BUILD_TESTS)
add_dependencies(buildtests_cxx duplicate_header_bad_client_test)
add_dependencies(buildtests_cxx end2end_test)
add_dependencies(buildtests_cxx error_details_test)
+ add_dependencies(buildtests_cxx evaluate_args_test)
add_dependencies(buildtests_cxx eventmanager_libuv_test)
add_dependencies(buildtests_cxx exception_test)
add_dependencies(buildtests_cxx filter_end2end_test)
@@ -1704,6 +1721,8 @@ add_library(grpc
src/core/lib/iomgr/work_serializer.cc
src/core/lib/json/json_reader.cc
src/core/lib/json/json_writer.cc
+ src/core/lib/security/authorization/authorization_engine.cc
+ src/core/lib/security/authorization/evaluate_args.cc
src/core/lib/security/context/security_context.cc
src/core/lib/security/credentials/alts/alts_credentials.cc
src/core/lib/security/credentials/alts/check_gcp_environment.cc
@@ -1860,6 +1879,7 @@ target_link_libraries(grpc
absl::strings
absl::status
absl::inlined_vector
+ absl::flat_hash_set
)
if(_gRPC_PLATFORM_IOS OR _gRPC_PLATFORM_MAC)
target_link_libraries(grpc "-framework CoreFoundation")
@@ -1946,6 +1966,7 @@ if(gRPC_BUILD_TESTS)
add_library(grpc_test_util
test/core/util/cmdline.cc
test/core/util/debugger_macros.cc
+ test/core/util/eval_args_mock_endpoint.cc
test/core/util/fuzzer_util.cc
test/core/util/grpc_profiler.cc
test/core/util/histogram.cc
@@ -2012,6 +2033,7 @@ if(gRPC_BUILD_TESTS)
add_library(grpc_test_util_unsecure
test/core/util/cmdline.cc
test/core/util/debugger_macros.cc
+ test/core/util/eval_args_mock_endpoint.cc
test/core/util/fuzzer_util.cc
test/core/util/grpc_profiler.cc
test/core/util/histogram.cc
@@ -8410,8 +8432,6 @@ endif()
if(gRPC_BUILD_TESTS)
add_executable(authorization_engine_test
- src/core/lib/security/authorization/authorization_engine.cc
- src/core/lib/security/authorization/evaluate_args.cc
test/core/security/authorization_engine_test.cc
third_party/googletest/googletest/src/gtest-all.cc
third_party/googletest/googlemock/src/gmock-all.cc
@@ -10747,6 +10767,45 @@ target_link_libraries(error_details_test
)
+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(evaluate_args_test
+ test/core/security/evaluate_args_test.cc
+ third_party/googletest/googletest/src/gtest-all.cc
+ third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(evaluate_args_test
+ PRIVATE
+ ${CMAKE_CURRENT_SOURCE_DIR}
+ ${CMAKE_CURRENT_SOURCE_DIR}/include
+ ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+ ${_gRPC_RE2_INCLUDE_DIR}
+ ${_gRPC_SSL_INCLUDE_DIR}
+ ${_gRPC_UPB_GENERATED_DIR}
+ ${_gRPC_UPB_GRPC_GENERATED_DIR}
+ ${_gRPC_UPB_INCLUDE_DIR}
+ ${_gRPC_ZLIB_INCLUDE_DIR}
+ third_party/googletest/googletest/include
+ third_party/googletest/googletest
+ third_party/googletest/googlemock/include
+ third_party/googletest/googlemock
+ ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(evaluate_args_test
+ ${_gRPC_PROTOBUF_LIBRARIES}
+ ${_gRPC_ALLTARGETS_LIBRARIES}
+ grpc_test_util
+ grpc
+ gpr
+ address_sorting
+ upb
+ ${_gRPC_GFLAGS_LIBRARIES}
+)
+
+
endif()
if(gRPC_BUILD_TESTS)
@@ -14684,6 +14743,7 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h
test/core/util/cmdline.cc
test/core/util/debugger_macros.cc
+ test/core/util/eval_args_mock_endpoint.cc
test/core/util/fuzzer_util.cc
test/core/util/grpc_profiler.cc
test/core/util/histogram.cc
@@ -15625,7 +15685,7 @@ generate_pkgconfig(
"high performance general RPC framework"
"${gRPC_CORE_VERSION}"
"gpr openssl"
- "-lgrpc -laddress_sorting -lre2 -lupb -lcares -lz -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
+ "-lgrpc -laddress_sorting -lre2 -lupb -lcares -lz -labsl_raw_hash_set -labsl_hashtablez_sampler -labsl_exponential_biased -labsl_hash -labsl_bad_variant_access -labsl_city -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
""
"grpc.pc")
@@ -15645,7 +15705,7 @@ generate_pkgconfig(
"C++ wrapper for gRPC"
"${gRPC_CPP_VERSION}"
"grpc"
- "-lgrpc++ -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
+ "-lgrpc++ -labsl_raw_hash_set -labsl_hashtablez_sampler -labsl_exponential_biased -labsl_hash -labsl_bad_variant_access -labsl_city -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations"
""
"grpc++.pc")
diff --git a/Makefile b/Makefile
index 96979e9ece2..08bf9d470d1 100644
--- a/Makefile
+++ b/Makefile
@@ -2312,6 +2312,8 @@ LIBGRPC_SRC = \
src/core/lib/iomgr/work_serializer.cc \
src/core/lib/json/json_reader.cc \
src/core/lib/json/json_writer.cc \
+ src/core/lib/security/authorization/authorization_engine.cc \
+ src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/credentials/alts/alts_credentials.cc \
src/core/lib/security/credentials/alts/check_gcp_environment.cc \
@@ -4430,6 +4432,7 @@ endif
LIBGRPC_ABSEIL_SRC = \
third_party/abseil-cpp/absl/base/dynamic_annotations.cc \
third_party/abseil-cpp/absl/base/internal/cycleclock.cc \
+ third_party/abseil-cpp/absl/base/internal/exponential_biased.cc \
third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc \
third_party/abseil-cpp/absl/base/internal/raw_logging.cc \
third_party/abseil-cpp/absl/base/internal/spinlock.cc \
@@ -4439,12 +4442,17 @@ LIBGRPC_ABSEIL_SRC = \
third_party/abseil-cpp/absl/base/internal/throw_delegate.cc \
third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc \
third_party/abseil-cpp/absl/base/log_severity.cc \
+ third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc \
+ third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc \
+ third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc \
third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc \
third_party/abseil-cpp/absl/debugging/internal/demangle.cc \
third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc \
third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc \
third_party/abseil-cpp/absl/debugging/stacktrace.cc \
third_party/abseil-cpp/absl/debugging/symbolize.cc \
+ third_party/abseil-cpp/absl/hash/internal/city.cc \
+ third_party/abseil-cpp/absl/hash/internal/hash.cc \
third_party/abseil-cpp/absl/numeric/int128.cc \
third_party/abseil-cpp/absl/status/status.cc \
third_party/abseil-cpp/absl/status/status_payload_printer.cc \
@@ -4495,6 +4503,7 @@ LIBGRPC_ABSEIL_SRC = \
third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc \
third_party/abseil-cpp/absl/time/time.cc \
third_party/abseil-cpp/absl/types/bad_optional_access.cc \
+ third_party/abseil-cpp/absl/types/bad_variant_access.cc \
LIBGRPC_ABSEIL_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(LIBGRPC_ABSEIL_SRC))))
@@ -4769,6 +4778,8 @@ src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c: $(OPENSSL_DEP)
src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.c: $(OPENSSL_DEP)
src/core/ext/xds/xds_channel_secure.cc: $(OPENSSL_DEP)
src/core/lib/http/httpcli_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/authorization/authorization_engine.cc: $(OPENSSL_DEP)
+src/core/lib/security/authorization/evaluate_args.cc: $(OPENSSL_DEP)
src/core/lib/security/context/security_context.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/alts/alts_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/alts/check_gcp_environment.cc: $(OPENSSL_DEP)
diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml
index 7228789cb16..f69c85f697e 100644
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@@ -651,6 +651,10 @@ libs:
- src/core/lib/iomgr/wakeup_fd_posix.h
- src/core/lib/iomgr/work_serializer.h
- src/core/lib/json/json.h
+ - src/core/lib/security/authorization/authorization_engine.h
+ - src/core/lib/security/authorization/evaluate_args.h
+ - src/core/lib/security/authorization/mock_cel/activation.h
+ - src/core/lib/security/authorization/mock_cel/cel_value.h
- src/core/lib/security/context/security_context.h
- src/core/lib/security/credentials/alts/alts_credentials.h
- src/core/lib/security/credentials/alts/check_gcp_environment.h
@@ -1059,6 +1063,8 @@ libs:
- src/core/lib/iomgr/work_serializer.cc
- src/core/lib/json/json_reader.cc
- src/core/lib/json/json_writer.cc
+ - src/core/lib/security/authorization/authorization_engine.cc
+ - src/core/lib/security/authorization/evaluate_args.cc
- src/core/lib/security/context/security_context.cc
- src/core/lib/security/credentials/alts/alts_credentials.cc
- src/core/lib/security/credentials/alts/check_gcp_environment.cc
@@ -1177,6 +1183,7 @@ libs:
- absl/strings:strings
- absl/status:status
- absl/container:inlined_vector
+ - absl/container:flat_hash_set
baselib: true
deps_linkage: static
dll: true
@@ -1203,6 +1210,7 @@ libs:
headers:
- test/core/util/cmdline.h
- test/core/util/debugger_macros.h
+ - test/core/util/eval_args_mock_endpoint.h
- test/core/util/fuzzer_util.h
- test/core/util/grpc_profiler.h
- test/core/util/histogram.h
@@ -1222,6 +1230,7 @@ libs:
src:
- test/core/util/cmdline.cc
- test/core/util/debugger_macros.cc
+ - test/core/util/eval_args_mock_endpoint.cc
- test/core/util/fuzzer_util.cc
- test/core/util/grpc_profiler.cc
- test/core/util/histogram.cc
@@ -1252,6 +1261,7 @@ libs:
headers:
- test/core/util/cmdline.h
- test/core/util/debugger_macros.h
+ - test/core/util/eval_args_mock_endpoint.h
- test/core/util/fuzzer_util.h
- test/core/util/grpc_profiler.h
- test/core/util/histogram.h
@@ -1271,6 +1281,7 @@ libs:
src:
- test/core/util/cmdline.cc
- test/core/util/debugger_macros.cc
+ - test/core/util/eval_args_mock_endpoint.cc
- test/core/util/fuzzer_util.cc
- test/core/util/grpc_profiler.cc
- test/core/util/histogram.cc
@@ -4769,14 +4780,8 @@ targets:
gtest: true
build: test
language: c++
- headers:
- - src/core/lib/security/authorization/authorization_engine.h
- - src/core/lib/security/authorization/evaluate_args.h
- - src/core/lib/security/authorization/mock_cel/activation.h
- - src/core/lib/security/authorization/mock_cel/cel_value.h
+ headers: []
src:
- - src/core/lib/security/authorization/authorization_engine.cc
- - src/core/lib/security/authorization/evaluate_args.cc
- test/core/security/authorization_engine_test.cc
deps:
- grpc_test_util
@@ -5815,6 +5820,19 @@ targets:
- gpr
- address_sorting
- upb
+- name: evaluate_args_test
+ gtest: true
+ build: test
+ language: c++
+ headers: []
+ src:
+ - test/core/security/evaluate_args_test.cc
+ deps:
+ - grpc_test_util
+ - grpc
+ - gpr
+ - address_sorting
+ - upb
- name: eventmanager_libuv_test
gtest: true
build: test
@@ -7503,6 +7521,7 @@ targets:
headers:
- test/core/util/cmdline.h
- test/core/util/debugger_macros.h
+ - test/core/util/eval_args_mock_endpoint.h
- test/core/util/fuzzer_util.h
- test/core/util/grpc_profiler.h
- test/core/util/histogram.h
@@ -7525,6 +7544,7 @@ targets:
- src/proto/grpc/testing/simple_messages.proto
- test/core/util/cmdline.cc
- test/core/util/debugger_macros.cc
+ - test/core/util/eval_args_mock_endpoint.cc
- test/core/util/fuzzer_util.cc
- test/core/util/grpc_profiler.cc
- test/core/util/histogram.cc
diff --git a/config.m4 b/config.m4
index 8b1a28664da..68098a6eddf 100644
--- a/config.m4
+++ b/config.m4
@@ -392,6 +392,8 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/json/json_writer.cc \
src/core/lib/profiling/basic_timers.cc \
src/core/lib/profiling/stap_timers.cc \
+ src/core/lib/security/authorization/authorization_engine.cc \
+ src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/credentials/alts/alts_credentials.cc \
src/core/lib/security/credentials/alts/check_gcp_environment.cc \
@@ -514,6 +516,7 @@ if test "$PHP_GRPC" != "no"; then
src/php/ext/grpc/timeval.c \
third_party/abseil-cpp/absl/base/dynamic_annotations.cc \
third_party/abseil-cpp/absl/base/internal/cycleclock.cc \
+ third_party/abseil-cpp/absl/base/internal/exponential_biased.cc \
third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc \
third_party/abseil-cpp/absl/base/internal/raw_logging.cc \
third_party/abseil-cpp/absl/base/internal/spinlock.cc \
@@ -523,12 +526,17 @@ if test "$PHP_GRPC" != "no"; then
third_party/abseil-cpp/absl/base/internal/throw_delegate.cc \
third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc \
third_party/abseil-cpp/absl/base/log_severity.cc \
+ third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc \
+ third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc \
+ third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc \
third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc \
third_party/abseil-cpp/absl/debugging/internal/demangle.cc \
third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc \
third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc \
third_party/abseil-cpp/absl/debugging/stacktrace.cc \
third_party/abseil-cpp/absl/debugging/symbolize.cc \
+ third_party/abseil-cpp/absl/hash/internal/city.cc \
+ third_party/abseil-cpp/absl/hash/internal/hash.cc \
third_party/abseil-cpp/absl/numeric/int128.cc \
third_party/abseil-cpp/absl/status/status.cc \
third_party/abseil-cpp/absl/status/status_payload_printer.cc \
@@ -579,6 +587,7 @@ if test "$PHP_GRPC" != "no"; then
third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc \
third_party/abseil-cpp/absl/time/time.cc \
third_party/abseil-cpp/absl/types/bad_optional_access.cc \
+ third_party/abseil-cpp/absl/types/bad_variant_access.cc \
third_party/address_sorting/address_sorting.c \
third_party/address_sorting/address_sorting_posix.c \
third_party/address_sorting/address_sorting_windows.c \
@@ -964,6 +973,7 @@ if test "$PHP_GRPC" != "no"; then
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/iomgr/poller)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/json)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/profiling)
+ PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/authorization)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/context)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/alts)
@@ -999,8 +1009,10 @@ if test "$PHP_GRPC" != "no"; then
PHP_ADD_BUILD_DIR($ext_builddir/src/php/ext/grpc)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/base)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/base/internal)
+ PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/container/internal)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/debugging)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/debugging/internal)
+ PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/hash/internal)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/numeric)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/status)
PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/strings)
diff --git a/config.w32 b/config.w32
index 76df40bc91c..44abe47a3f1 100644
--- a/config.w32
+++ b/config.w32
@@ -360,6 +360,8 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\json\\json_writer.cc " +
"src\\core\\lib\\profiling\\basic_timers.cc " +
"src\\core\\lib\\profiling\\stap_timers.cc " +
+ "src\\core\\lib\\security\\authorization\\authorization_engine.cc " +
+ "src\\core\\lib\\security\\authorization\\evaluate_args.cc " +
"src\\core\\lib\\security\\context\\security_context.cc " +
"src\\core\\lib\\security\\credentials\\alts\\alts_credentials.cc " +
"src\\core\\lib\\security\\credentials\\alts\\check_gcp_environment.cc " +
@@ -482,6 +484,7 @@ if (PHP_GRPC != "no") {
"src\\php\\ext\\grpc\\timeval.c " +
"third_party\\abseil-cpp\\absl\\base\\dynamic_annotations.cc " +
"third_party\\abseil-cpp\\absl\\base\\internal\\cycleclock.cc " +
+ "third_party\\abseil-cpp\\absl\\base\\internal\\exponential_biased.cc " +
"third_party\\abseil-cpp\\absl\\base\\internal\\low_level_alloc.cc " +
"third_party\\abseil-cpp\\absl\\base\\internal\\raw_logging.cc " +
"third_party\\abseil-cpp\\absl\\base\\internal\\spinlock.cc " +
@@ -491,12 +494,17 @@ if (PHP_GRPC != "no") {
"third_party\\abseil-cpp\\absl\\base\\internal\\throw_delegate.cc " +
"third_party\\abseil-cpp\\absl\\base\\internal\\unscaledcycleclock.cc " +
"third_party\\abseil-cpp\\absl\\base\\log_severity.cc " +
+ "third_party\\abseil-cpp\\absl\\container\\internal\\hashtablez_sampler.cc " +
+ "third_party\\abseil-cpp\\absl\\container\\internal\\hashtablez_sampler_force_weak_definition.cc " +
+ "third_party\\abseil-cpp\\absl\\container\\internal\\raw_hash_set.cc " +
"third_party\\abseil-cpp\\absl\\debugging\\internal\\address_is_readable.cc " +
"third_party\\abseil-cpp\\absl\\debugging\\internal\\demangle.cc " +
"third_party\\abseil-cpp\\absl\\debugging\\internal\\elf_mem_image.cc " +
"third_party\\abseil-cpp\\absl\\debugging\\internal\\vdso_support.cc " +
"third_party\\abseil-cpp\\absl\\debugging\\stacktrace.cc " +
"third_party\\abseil-cpp\\absl\\debugging\\symbolize.cc " +
+ "third_party\\abseil-cpp\\absl\\hash\\internal\\city.cc " +
+ "third_party\\abseil-cpp\\absl\\hash\\internal\\hash.cc " +
"third_party\\abseil-cpp\\absl\\numeric\\int128.cc " +
"third_party\\abseil-cpp\\absl\\status\\status.cc " +
"third_party\\abseil-cpp\\absl\\status\\status_payload_printer.cc " +
@@ -547,6 +555,7 @@ if (PHP_GRPC != "no") {
"third_party\\abseil-cpp\\absl\\time\\internal\\cctz\\src\\zone_info_source.cc " +
"third_party\\abseil-cpp\\absl\\time\\time.cc " +
"third_party\\abseil-cpp\\absl\\types\\bad_optional_access.cc " +
+ "third_party\\abseil-cpp\\absl\\types\\bad_variant_access.cc " +
"third_party\\address_sorting\\address_sorting.c " +
"third_party\\address_sorting\\address_sorting_posix.c " +
"third_party\\address_sorting\\address_sorting_windows.c " +
@@ -1007,6 +1016,7 @@ if (PHP_GRPC != "no") {
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\json");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\profiling");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\authorization");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\context");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\alts");
@@ -1049,8 +1059,12 @@ if (PHP_GRPC != "no") {
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\base");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\base\\internal");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\container");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\container\\internal");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\debugging");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\debugging\\internal");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\hash");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\hash\\internal");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\numeric");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\status");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\strings");
diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec
index 35f93c587c8..b17c29a7f3a 100644
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@@ -201,6 +201,7 @@ Pod::Spec.new do |s|
ss.dependency 'gRPC-Core', version
abseil_version = '1.20200225.0'
ss.dependency 'abseil/base/base', abseil_version
+ ss.dependency 'abseil/container/flat_hash_set', abseil_version
ss.dependency 'abseil/container/inlined_vector', abseil_version
ss.dependency 'abseil/memory/memory', abseil_version
ss.dependency 'abseil/status/status', abseil_version
@@ -513,6 +514,10 @@ Pod::Spec.new do |s|
'src/core/lib/iomgr/work_serializer.h',
'src/core/lib/json/json.h',
'src/core/lib/profiling/timers.h',
+ 'src/core/lib/security/authorization/authorization_engine.h',
+ 'src/core/lib/security/authorization/evaluate_args.h',
+ 'src/core/lib/security/authorization/mock_cel/activation.h',
+ 'src/core/lib/security/authorization/mock_cel/cel_value.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@@ -1003,6 +1008,10 @@ Pod::Spec.new do |s|
'src/core/lib/iomgr/work_serializer.h',
'src/core/lib/json/json.h',
'src/core/lib/profiling/timers.h',
+ 'src/core/lib/security/authorization/authorization_engine.h',
+ 'src/core/lib/security/authorization/evaluate_args.h',
+ 'src/core/lib/security/authorization/mock_cel/activation.h',
+ 'src/core/lib/security/authorization/mock_cel/cel_value.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
index b982ab76cb2..b264b5ec151 100644
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@@ -175,6 +175,7 @@ Pod::Spec.new do |s|
ss.dependency 'BoringSSL-GRPC', '0.0.12'
abseil_version = '1.20200225.0'
ss.dependency 'abseil/base/base', abseil_version
+ ss.dependency 'abseil/container/flat_hash_set', abseil_version
ss.dependency 'abseil/container/inlined_vector', abseil_version
ss.dependency 'abseil/memory/memory', abseil_version
ss.dependency 'abseil/status/status', abseil_version
@@ -842,6 +843,12 @@ Pod::Spec.new do |s|
'src/core/lib/profiling/basic_timers.cc',
'src/core/lib/profiling/stap_timers.cc',
'src/core/lib/profiling/timers.h',
+ 'src/core/lib/security/authorization/authorization_engine.cc',
+ 'src/core/lib/security/authorization/authorization_engine.h',
+ 'src/core/lib/security/authorization/evaluate_args.cc',
+ 'src/core/lib/security/authorization/evaluate_args.h',
+ 'src/core/lib/security/authorization/mock_cel/activation.h',
+ 'src/core/lib/security/authorization/mock_cel/cel_value.h',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
@@ -1412,6 +1419,10 @@ Pod::Spec.new do |s|
'src/core/lib/iomgr/work_serializer.h',
'src/core/lib/json/json.h',
'src/core/lib/profiling/timers.h',
+ 'src/core/lib/security/authorization/authorization_engine.h',
+ 'src/core/lib/security/authorization/evaluate_args.h',
+ 'src/core/lib/security/authorization/mock_cel/activation.h',
+ 'src/core/lib/security/authorization/mock_cel/cel_value.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@@ -1673,6 +1684,8 @@ Pod::Spec.new do |s|
'test/core/util/cmdline.h',
'test/core/util/debugger_macros.cc',
'test/core/util/debugger_macros.h',
+ 'test/core/util/eval_args_mock_endpoint.cc',
+ 'test/core/util/eval_args_mock_endpoint.h',
'test/core/util/fuzzer_util.cc',
'test/core/util/fuzzer_util.h',
'test/core/util/grpc_profiler.cc',
diff --git a/grpc.gemspec b/grpc.gemspec
index c5bd2207a09..4060a7ef09b 100644
--- a/grpc.gemspec
+++ b/grpc.gemspec
@@ -761,6 +761,12 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/profiling/basic_timers.cc )
s.files += %w( src/core/lib/profiling/stap_timers.cc )
s.files += %w( src/core/lib/profiling/timers.h )
+ s.files += %w( src/core/lib/security/authorization/authorization_engine.cc )
+ s.files += %w( src/core/lib/security/authorization/authorization_engine.h )
+ s.files += %w( src/core/lib/security/authorization/evaluate_args.cc )
+ s.files += %w( src/core/lib/security/authorization/evaluate_args.h )
+ s.files += %w( src/core/lib/security/authorization/mock_cel/activation.h )
+ s.files += %w( src/core/lib/security/authorization/mock_cel/cel_value.h )
s.files += %w( src/core/lib/security/context/security_context.cc )
s.files += %w( src/core/lib/security/context/security_context.h )
s.files += %w( src/core/lib/security/credentials/alts/alts_credentials.cc )
@@ -966,6 +972,7 @@ Gem::Specification.new do |s|
s.files += %w( src/core/tsi/transport_security_grpc.h )
s.files += %w( src/core/tsi/transport_security_interface.h )
s.files += %w( third_party/abseil-cpp/absl/algorithm/algorithm.h )
+ s.files += %w( third_party/abseil-cpp/absl/algorithm/container.h )
s.files += %w( third_party/abseil-cpp/absl/base/attributes.h )
s.files += %w( third_party/abseil-cpp/absl/base/call_once.h )
s.files += %w( third_party/abseil-cpp/absl/base/casts.h )
@@ -980,6 +987,8 @@ Gem::Specification.new do |s|
s.files += %w( third_party/abseil-cpp/absl/base/internal/direct_mmap.h )
s.files += %w( third_party/abseil-cpp/absl/base/internal/endian.h )
s.files += %w( third_party/abseil-cpp/absl/base/internal/errno_saver.h )
+ s.files += %w( third_party/abseil-cpp/absl/base/internal/exponential_biased.cc )
+ s.files += %w( third_party/abseil-cpp/absl/base/internal/exponential_biased.h )
s.files += %w( third_party/abseil-cpp/absl/base/internal/hide_ptr.h )
s.files += %w( third_party/abseil-cpp/absl/base/internal/identity.h )
s.files += %w( third_party/abseil-cpp/absl/base/internal/inline_variable.h )
@@ -1019,9 +1028,22 @@ Gem::Specification.new do |s|
s.files += %w( third_party/abseil-cpp/absl/base/port.h )
s.files += %w( third_party/abseil-cpp/absl/base/thread_annotations.h )
s.files += %w( third_party/abseil-cpp/absl/container/fixed_array.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/flat_hash_set.h )
s.files += %w( third_party/abseil-cpp/absl/container/inlined_vector.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/common.h )
s.files += %w( third_party/abseil-cpp/absl/container/internal/compressed_tuple.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/container_memory.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/hash_function_defaults.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/hash_policy_traits.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtable_debug_hooks.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/have_sse.h )
s.files += %w( third_party/abseil-cpp/absl/container/internal/inlined_vector.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/layout.h )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc )
+ s.files += %w( third_party/abseil-cpp/absl/container/internal/raw_hash_set.h )
s.files += %w( third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc )
s.files += %w( third_party/abseil-cpp/absl/debugging/internal/address_is_readable.h )
s.files += %w( third_party/abseil-cpp/absl/debugging/internal/demangle.cc )
@@ -1048,6 +1070,11 @@ Gem::Specification.new do |s|
s.files += %w( third_party/abseil-cpp/absl/debugging/symbolize_win32.inc )
s.files += %w( third_party/abseil-cpp/absl/functional/function_ref.h )
s.files += %w( third_party/abseil-cpp/absl/functional/internal/function_ref.h )
+ s.files += %w( third_party/abseil-cpp/absl/hash/hash.h )
+ s.files += %w( third_party/abseil-cpp/absl/hash/internal/city.cc )
+ s.files += %w( third_party/abseil-cpp/absl/hash/internal/city.h )
+ s.files += %w( third_party/abseil-cpp/absl/hash/internal/hash.cc )
+ s.files += %w( third_party/abseil-cpp/absl/hash/internal/hash.h )
s.files += %w( third_party/abseil-cpp/absl/memory/memory.h )
s.files += %w( third_party/abseil-cpp/absl/meta/type_traits.h )
s.files += %w( third_party/abseil-cpp/absl/numeric/int128.cc )
@@ -1165,10 +1192,14 @@ Gem::Specification.new do |s|
s.files += %w( third_party/abseil-cpp/absl/time/time.h )
s.files += %w( third_party/abseil-cpp/absl/types/bad_optional_access.cc )
s.files += %w( third_party/abseil-cpp/absl/types/bad_optional_access.h )
+ s.files += %w( third_party/abseil-cpp/absl/types/bad_variant_access.cc )
+ s.files += %w( third_party/abseil-cpp/absl/types/bad_variant_access.h )
s.files += %w( third_party/abseil-cpp/absl/types/internal/optional.h )
s.files += %w( third_party/abseil-cpp/absl/types/internal/span.h )
+ s.files += %w( third_party/abseil-cpp/absl/types/internal/variant.h )
s.files += %w( third_party/abseil-cpp/absl/types/optional.h )
s.files += %w( third_party/abseil-cpp/absl/types/span.h )
+ s.files += %w( third_party/abseil-cpp/absl/types/variant.h )
s.files += %w( third_party/abseil-cpp/absl/utility/utility.h )
s.files += %w( third_party/address_sorting/address_sorting.c )
s.files += %w( third_party/address_sorting/address_sorting_internal.h )
diff --git a/grpc.gyp b/grpc.gyp
index ae7d87c9d69..468e4d43186 100644
--- a/grpc.gyp
+++ b/grpc.gyp
@@ -438,6 +438,7 @@
'absl/strings:strings',
'absl/status:status',
'absl/container:inlined_vector',
+ 'absl/container:flat_hash_set',
],
'sources': [
'src/core/ext/filters/census/grpc_context.cc',
@@ -753,6 +754,8 @@
'src/core/lib/iomgr/work_serializer.cc',
'src/core/lib/json/json_reader.cc',
'src/core/lib/json/json_writer.cc',
+ 'src/core/lib/security/authorization/authorization_engine.cc',
+ 'src/core/lib/security/authorization/evaluate_args.cc',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
'src/core/lib/security/credentials/alts/check_gcp_environment.cc',
@@ -890,6 +893,7 @@
'sources': [
'test/core/util/cmdline.cc',
'test/core/util/debugger_macros.cc',
+ 'test/core/util/eval_args_mock_endpoint.cc',
'test/core/util/fuzzer_util.cc',
'test/core/util/grpc_profiler.cc',
'test/core/util/histogram.cc',
@@ -922,6 +926,7 @@
'sources': [
'test/core/util/cmdline.cc',
'test/core/util/debugger_macros.cc',
+ 'test/core/util/eval_args_mock_endpoint.cc',
'test/core/util/fuzzer_util.cc',
'test/core/util/grpc_profiler.cc',
'test/core/util/histogram.cc',
diff --git a/package.xml b/package.xml
index 717113b2d79..fc26c837c46 100644
--- a/package.xml
+++ b/package.xml
@@ -741,6 +741,12 @@
+
+
+
+
+
+
@@ -968,6 +974,7 @@
+
@@ -982,6 +989,8 @@
+
+
@@ -1021,9 +1030,22 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1050,6 +1072,11 @@
+
+
+
+
+
@@ -1167,10 +1194,14 @@
+
+
+
+
diff --git a/src/core/lib/security/authorization/authorization_engine.cc b/src/core/lib/security/authorization/authorization_engine.cc
index 58e23f991cf..8e6a63dc21b 100644
--- a/src/core/lib/security/authorization/authorization_engine.cc
+++ b/src/core/lib/security/authorization/authorization_engine.cc
@@ -20,6 +20,22 @@
namespace grpc_core {
+namespace {
+
+// Symbols for traversing Envoy Attributes
+constexpr char kUrlPath[] = "url_path";
+constexpr char kHost[] = "host";
+constexpr char kMethod[] = "method";
+constexpr char kHeaders[] = "headers";
+constexpr char kSourceAddress[] = "source_address";
+constexpr char kSourcePort[] = "source_port";
+constexpr char kDestinationAddress[] = "destination_address";
+constexpr char kDestinationPort[] = "destination_port";
+constexpr char kSpiffeId[] = "spiffe_id";
+constexpr char kCertServerName[] = "cert_server_name";
+
+} // namespace
+
std::unique_ptr
AuthorizationEngine::CreateAuthorizationEngine(
const std::vector& rbac_policies) {
@@ -74,4 +90,88 @@ AuthorizationEngine::AuthorizationEngine(
}
}
+std::unique_ptr AuthorizationEngine::CreateActivation(
+ const EvaluateArgs& args) {
+ std::unique_ptr activation;
+ for (const auto& elem : envoy_attributes_) {
+ if (elem == kUrlPath) {
+ absl::string_view url_path(args.GetPath());
+ if (!url_path.empty()) {
+ activation->InsertValue(kUrlPath,
+ mock_cel::CelValue::CreateStringView(url_path));
+ }
+ } else if (elem == kHost) {
+ absl::string_view host(args.GetHost());
+ if (!host.empty()) {
+ activation->InsertValue(kHost,
+ mock_cel::CelValue::CreateStringView(host));
+ }
+ } else if (elem == kMethod) {
+ absl::string_view method(args.GetMethod());
+ if (!method.empty()) {
+ activation->InsertValue(kMethod,
+ mock_cel::CelValue::CreateStringView(method));
+ }
+ } else if (elem == kHeaders) {
+ std::multimap headers =
+ args.GetHeaders();
+ std::vector>
+ header_items;
+ for (const auto& header_key : header_keys_) {
+ auto header_item = headers.find(header_key);
+ if (header_item != headers.end()) {
+ header_items.push_back(
+ std::pair(
+ mock_cel::CelValue::CreateStringView(header_key),
+ mock_cel::CelValue::CreateStringView(header_item->second)));
+ }
+ }
+ headers_ = mock_cel::ContainerBackedMapImpl::Create(
+ absl::Span>(
+ header_items));
+ activation->InsertValue(kHeaders,
+ mock_cel::CelValue::CreateMap(headers_.get()));
+ } else if (elem == kSourceAddress) {
+ absl::string_view source_address(args.GetPeerAddress());
+ if (!source_address.empty()) {
+ activation->InsertValue(
+ kSourceAddress,
+ mock_cel::CelValue::CreateStringView(source_address));
+ }
+ } else if (elem == kSourcePort) {
+ activation->InsertValue(
+ kSourcePort, mock_cel::CelValue::CreateInt64(args.GetPeerPort()));
+ } else if (elem == kDestinationAddress) {
+ absl::string_view destination_address(args.GetLocalAddress());
+ if (!destination_address.empty()) {
+ activation->InsertValue(
+ kDestinationAddress,
+ mock_cel::CelValue::CreateStringView(destination_address));
+ }
+ } else if (elem == kDestinationPort) {
+ activation->InsertValue(kDestinationPort, mock_cel::CelValue::CreateInt64(
+ args.GetLocalPort()));
+ } else if (elem == kSpiffeId) {
+ absl::string_view spiffe_id(args.GetSpiffeId());
+ if (!spiffe_id.empty()) {
+ activation->InsertValue(
+ kSpiffeId, mock_cel::CelValue::CreateStringView(spiffe_id));
+ }
+ } else if (elem == kCertServerName) {
+ absl::string_view cert_server_name(args.GetCertServerName());
+ if (!cert_server_name.empty()) {
+ activation->InsertValue(
+ kCertServerName,
+ mock_cel::CelValue::CreateStringView(cert_server_name));
+ }
+ } else {
+ gpr_log(GPR_ERROR,
+ "Error: Authorization engine does not support evaluating "
+ "attribute %s.",
+ elem.c_str());
+ }
+ }
+ return activation;
+}
+
} // namespace grpc_core
diff --git a/src/core/lib/security/authorization/authorization_engine.h b/src/core/lib/security/authorization/authorization_engine.h
index 406cebbc452..809784c334e 100644
--- a/src/core/lib/security/authorization/authorization_engine.h
+++ b/src/core/lib/security/authorization/authorization_engine.h
@@ -24,10 +24,14 @@
#include
#include
-#include "src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h"
-#include "src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h"
+#include "absl/container/flat_hash_set.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
+#include "google/api/expr/v1alpha1/syntax.upb.h"
#include "upb/upb.hpp"
+#include "src/core/lib/security/authorization/evaluate_args.h"
+#include "src/core/lib/security/authorization/mock_cel/activation.h"
+
namespace grpc_core {
// AuthorizationEngine makes an AuthorizationDecision to ALLOW or DENY the
@@ -62,11 +66,17 @@ class AuthorizationEngine {
kDeny,
};
+ std::unique_ptr CreateActivation(
+ const EvaluateArgs& args);
+
std::map
deny_if_matched_;
std::map
allow_if_matched_;
upb::Arena arena_;
+ absl::flat_hash_set envoy_attributes_;
+ absl::flat_hash_set header_keys_;
+ std::unique_ptr headers_;
};
} // namespace grpc_core
diff --git a/src/core/lib/security/authorization/evaluate_args.cc b/src/core/lib/security/authorization/evaluate_args.cc
index dc6484550a4..68f6cb803d3 100644
--- a/src/core/lib/security/authorization/evaluate_args.cc
+++ b/src/core/lib/security/authorization/evaluate_args.cc
@@ -20,6 +20,9 @@
#include "src/core/lib/security/authorization/evaluate_args.h"
+#include "src/core/lib/iomgr/parse_address.h"
+#include "src/core/lib/iomgr/resolve_address.h"
+#include "src/core/lib/iomgr/sockaddr_utils.h"
#include "src/core/lib/slice/slice_utils.h"
namespace grpc_core {
@@ -69,6 +72,58 @@ std::multimap EvaluateArgs::GetHeaders()
return headers;
}
+absl::string_view EvaluateArgs::GetLocalAddress() const {
+ absl::string_view addr = grpc_endpoint_get_local_address(endpoint_);
+ size_t first_colon = addr.find(":");
+ size_t last_colon = addr.rfind(":");
+ if (first_colon == std::string::npos || last_colon == std::string::npos) {
+ return "";
+ } else {
+ return addr.substr(first_colon + 1, last_colon - first_colon - 1);
+ }
+}
+
+int EvaluateArgs::GetLocalPort() const {
+ if (endpoint_ == nullptr) {
+ return 0;
+ }
+ grpc_uri* uri = grpc_uri_parse(
+ std::string(grpc_endpoint_get_local_address(endpoint_)).c_str(), true);
+ grpc_resolved_address resolved_addr;
+ if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
+ grpc_uri_destroy(uri);
+ return 0;
+ }
+ grpc_uri_destroy(uri);
+ return grpc_sockaddr_get_port(&resolved_addr);
+}
+
+absl::string_view EvaluateArgs::GetPeerAddress() const {
+ absl::string_view addr = grpc_endpoint_get_peer(endpoint_);
+ size_t first_colon = addr.find(":");
+ size_t last_colon = addr.rfind(":");
+ if (first_colon == std::string::npos || last_colon == std::string::npos) {
+ return "";
+ } else {
+ return addr.substr(first_colon + 1, last_colon - first_colon - 1);
+ }
+}
+
+int EvaluateArgs::GetPeerPort() const {
+ if (endpoint_ == nullptr) {
+ return 0;
+ }
+ grpc_uri* uri = grpc_uri_parse(
+ std::string(grpc_endpoint_get_peer(endpoint_)).c_str(), true);
+ grpc_resolved_address resolved_addr;
+ if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
+ grpc_uri_destroy(uri);
+ return 0;
+ }
+ grpc_uri_destroy(uri);
+ return grpc_sockaddr_get_port(&resolved_addr);
+}
+
absl::string_view EvaluateArgs::GetSpiffeId() const {
if (auth_context_ == nullptr) {
return "";
diff --git a/src/core/lib/security/authorization/evaluate_args.h b/src/core/lib/security/authorization/evaluate_args.h
index da5b606fba1..e258f72bc87 100644
--- a/src/core/lib/security/authorization/evaluate_args.h
+++ b/src/core/lib/security/authorization/evaluate_args.h
@@ -32,12 +32,17 @@ namespace grpc_core {
class EvaluateArgs {
public:
EvaluateArgs(grpc_metadata_batch* metadata, grpc_auth_context* auth_context,
- grpc_endpoint* endpoint);
+ grpc_endpoint* endpoint)
+ : metadata_(metadata), auth_context_(auth_context), endpoint_(endpoint) {}
absl::string_view GetPath() const;
absl::string_view GetHost() const;
absl::string_view GetMethod() const;
std::multimap GetHeaders() const;
+ absl::string_view GetLocalAddress() const;
+ int GetLocalPort() const;
+ absl::string_view GetPeerAddress() const;
+ int GetPeerPort() const;
absl::string_view GetSpiffeId() const;
absl::string_view GetCertServerName() const;
diff --git a/src/core/lib/security/authorization/mock_cel/cel_value.h b/src/core/lib/security/authorization/mock_cel/cel_value.h
index 735c96652c5..e0217521cc1 100644
--- a/src/core/lib/security/authorization/mock_cel/cel_value.h
+++ b/src/core/lib/security/authorization/mock_cel/cel_value.h
@@ -38,7 +38,10 @@ namespace grpc_core {
namespace mock_cel {
// Break cyclic depdendencies for container types.
-class CelMap;
+class CelMap {
+ public:
+ CelMap() = default;
+};
// This is a temporary stub implementation of CEL APIs.
// Once gRPC imports the CEL library, this class will be removed.
@@ -73,6 +76,17 @@ class CelValue {
explicit CelValue(T value) {}
};
+// CelMap implementation that uses STL map container as backing storage.
+class ContainerBackedMapImpl : public CelMap {
+ public:
+ ContainerBackedMapImpl() = default;
+
+ static std::unique_ptr Create(
+ absl::Span> key_values) {
+ return absl::make_unique();
+ }
+};
+
} // namespace mock_cel
} // namespace grpc_core
diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py
index 4e9d4ae3ce2..88cd4d7e0c8 100644
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@@ -369,6 +369,8 @@ CORE_SOURCE_FILES = [
'src/core/lib/json/json_writer.cc',
'src/core/lib/profiling/basic_timers.cc',
'src/core/lib/profiling/stap_timers.cc',
+ 'src/core/lib/security/authorization/authorization_engine.cc',
+ 'src/core/lib/security/authorization/evaluate_args.cc',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
'src/core/lib/security/credentials/alts/check_gcp_environment.cc',
@@ -481,6 +483,7 @@ CORE_SOURCE_FILES = [
'src/core/tsi/transport_security_grpc.cc',
'third_party/abseil-cpp/absl/base/dynamic_annotations.cc',
'third_party/abseil-cpp/absl/base/internal/cycleclock.cc',
+ 'third_party/abseil-cpp/absl/base/internal/exponential_biased.cc',
'third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc',
'third_party/abseil-cpp/absl/base/internal/raw_logging.cc',
'third_party/abseil-cpp/absl/base/internal/spinlock.cc',
@@ -490,12 +493,17 @@ CORE_SOURCE_FILES = [
'third_party/abseil-cpp/absl/base/internal/throw_delegate.cc',
'third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc',
'third_party/abseil-cpp/absl/base/log_severity.cc',
+ 'third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc',
+ 'third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc',
+ 'third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc',
'third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc',
'third_party/abseil-cpp/absl/debugging/internal/demangle.cc',
'third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc',
'third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc',
'third_party/abseil-cpp/absl/debugging/stacktrace.cc',
'third_party/abseil-cpp/absl/debugging/symbolize.cc',
+ 'third_party/abseil-cpp/absl/hash/internal/city.cc',
+ 'third_party/abseil-cpp/absl/hash/internal/hash.cc',
'third_party/abseil-cpp/absl/numeric/int128.cc',
'third_party/abseil-cpp/absl/status/status.cc',
'third_party/abseil-cpp/absl/status/status_payload_printer.cc',
@@ -546,6 +554,7 @@ CORE_SOURCE_FILES = [
'third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc',
'third_party/abseil-cpp/absl/time/time.cc',
'third_party/abseil-cpp/absl/types/bad_optional_access.cc',
+ 'third_party/abseil-cpp/absl/types/bad_variant_access.cc',
'third_party/address_sorting/address_sorting.c',
'third_party/address_sorting/address_sorting_posix.c',
'third_party/address_sorting/address_sorting_windows.c',
diff --git a/test/core/security/BUILD b/test/core/security/BUILD
index 3d404a2b0e7..9a4daaa2b78 100644
--- a/test/core/security/BUILD
+++ b/test/core/security/BUILD
@@ -79,7 +79,7 @@ grpc_cc_test(
language = "C++",
deps = [
"//:gpr",
- "//:grpc_authorization_engine",
+ "//:grpc",
"//test/core/util:grpc_test_util",
],
)
@@ -95,6 +95,19 @@ grpc_cc_test(
],
)
+grpc_cc_test(
+ name = "evaluate_args_test",
+ srcs = ["evaluate_args_test.cc"],
+ external_deps = ["gtest"],
+ language = "C++",
+ deps = [
+ "//:gpr",
+ "//:grpc",
+ "//test/core/util:grpc_test_util",
+ "//test/core/util:grpc_test_util_base",
+ ],
+)
+
grpc_cc_test(
name = "json_token_test",
srcs = ["json_token_test.cc"],
diff --git a/test/core/security/evaluate_args_test.cc b/test/core/security/evaluate_args_test.cc
new file mode 100644
index 00000000000..394344dd60e
--- /dev/null
+++ b/test/core/security/evaluate_args_test.cc
@@ -0,0 +1,76 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include
+
+#include
+#include "absl/strings/string_view.h"
+
+#include "src/core/lib/security/authorization/evaluate_args.h"
+#include "test/core/util/eval_args_mock_endpoint.h"
+
+namespace grpc_core {
+
+class EvaluateArgsTest : public ::testing::Test {
+ protected:
+ void SetUp() override {
+ local_address_ = "255.255.255.255";
+ peer_address_ = "128.128.128.128";
+ local_port_ = 413;
+ peer_port_ = 314;
+ endpoint_ = CreateEvalArgsMockEndpoint(local_address_.c_str(), local_port_,
+ peer_address_.c_str(), peer_port_);
+ evaluate_args_ =
+ absl::make_unique(nullptr, nullptr, endpoint_);
+ }
+ void TearDown() override { grpc_endpoint_destroy(endpoint_); }
+ grpc_endpoint* endpoint_;
+ std::unique_ptr evaluate_args_;
+ std::string local_address_;
+ std::string peer_address_;
+ int local_port_;
+ int peer_port_;
+};
+
+TEST_F(EvaluateArgsTest, TestEvaluateArgsLocalAddress) {
+ absl::string_view src_address = evaluate_args_->GetLocalAddress();
+ EXPECT_EQ(src_address, local_address_)
+ << "Error: Failed to extract correct Local address from EvaluateArgs.";
+}
+
+TEST_F(EvaluateArgsTest, TestEvaluateArgsLocalPort) {
+ int src_port = evaluate_args_->GetLocalPort();
+ EXPECT_EQ(src_port, local_port_)
+ << "Error: Failed to extract correct Local port from EvaluateArgs.";
+}
+
+TEST_F(EvaluateArgsTest, TestEvaluateArgsPeerAddress) {
+ absl::string_view dest_address = evaluate_args_->GetPeerAddress();
+ EXPECT_EQ(dest_address, peer_address_)
+ << "Error: Failed to extract correct Peer address from "
+ "EvaluateArgs. ";
+}
+
+TEST_F(EvaluateArgsTest, TestEvaluateArgsPeerPort) {
+ int dest_port = evaluate_args_->GetPeerPort();
+ EXPECT_EQ(dest_port, peer_port_)
+ << "Error: Failed to extract correct Peer port from EvaluateArgs.";
+}
+
+} // namespace grpc_core
+
+int main(int argc, char** argv) {
+ ::testing::InitGoogleTest(&argc, argv);
+ return RUN_ALL_TESTS();
+}
diff --git a/test/core/util/BUILD b/test/core/util/BUILD
index 86811da9215..35a396de687 100644
--- a/test/core/util/BUILD
+++ b/test/core/util/BUILD
@@ -38,6 +38,7 @@ grpc_cc_library(
name = "grpc_test_util_base",
srcs = [
"cmdline.cc",
+ "eval_args_mock_endpoint.cc",
"fuzzer_util.cc",
"grpc_profiler.cc",
"histogram.cc",
@@ -59,6 +60,7 @@ grpc_cc_library(
],
hdrs = [
"cmdline.h",
+ "eval_args_mock_endpoint.h",
"fuzzer_util.h",
"grpc_profiler.h",
"histogram.h",
diff --git a/test/core/util/eval_args_mock_endpoint.cc b/test/core/util/eval_args_mock_endpoint.cc
new file mode 100644
index 00000000000..bd41d4b4191
--- /dev/null
+++ b/test/core/util/eval_args_mock_endpoint.cc
@@ -0,0 +1,118 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include
+
+#include "test/core/util/eval_args_mock_endpoint.h"
+
+#include
+
+#include
+
+#include "absl/strings/str_format.h"
+
+#include
+#include
+#include "src/core/lib/iomgr/sockaddr.h"
+#include "src/core/lib/iomgr/sockaddr_utils.h"
+
+namespace grpc_core {
+
+class EvalArgsMockEndpoint {
+ public:
+ EvalArgsMockEndpoint(absl::string_view local_uri, absl::string_view peer_uri)
+ : local_address_(local_uri), peer_(peer_uri) {
+ base_.vtable = &vtable_;
+ }
+ grpc_endpoint* base() const { return const_cast(&base_); }
+ static void Read(grpc_endpoint* ep, grpc_slice_buffer* slices,
+ grpc_closure* cb, bool unused) {}
+ static void Write(grpc_endpoint* ep, grpc_slice_buffer* slices,
+ grpc_closure* cb, void* unused) {}
+ static void AddToPollset(grpc_endpoint* ep, grpc_pollset* unused) {}
+ static void AddToPollsetSet(grpc_endpoint* ep, grpc_pollset_set* unused) {}
+ static void DeleteFromPollsetSet(grpc_endpoint* ep,
+ grpc_pollset_set* unused) {}
+ static void Shutdown(grpc_endpoint* ep, grpc_error* why) {}
+ static void Destroy(grpc_endpoint* ep) {
+ EvalArgsMockEndpoint* m = reinterpret_cast(ep);
+ delete m;
+ }
+
+ static absl::string_view GetPeer(grpc_endpoint* ep) {
+ EvalArgsMockEndpoint* m = reinterpret_cast(ep);
+ return m->peer_;
+ }
+
+ static absl::string_view GetLocalAddress(grpc_endpoint* ep) {
+ EvalArgsMockEndpoint* m = reinterpret_cast(ep);
+ return m->local_address_;
+ }
+
+ static grpc_resource_user* GetResourceUser(grpc_endpoint* ep) {
+ return nullptr;
+ }
+
+ static int GetFd(grpc_endpoint* unused) { return -1; }
+ static bool CanTrackErr(grpc_endpoint* unused) { return false; }
+
+ private:
+ static constexpr grpc_endpoint_vtable vtable_ = {
+ EvalArgsMockEndpoint::Read,
+ EvalArgsMockEndpoint::Write,
+ EvalArgsMockEndpoint::AddToPollset,
+ EvalArgsMockEndpoint::AddToPollsetSet,
+ EvalArgsMockEndpoint::DeleteFromPollsetSet,
+ EvalArgsMockEndpoint::Shutdown,
+ EvalArgsMockEndpoint::Destroy,
+ EvalArgsMockEndpoint::GetResourceUser,
+ EvalArgsMockEndpoint::GetPeer,
+ EvalArgsMockEndpoint::GetLocalAddress,
+ EvalArgsMockEndpoint::GetFd,
+ EvalArgsMockEndpoint::CanTrackErr};
+ grpc_endpoint base_;
+ std::string local_address_;
+ std::string peer_;
+};
+
+constexpr grpc_endpoint_vtable EvalArgsMockEndpoint::vtable_;
+
+namespace {
+
+std::string NameAndPortToURI(const char* addr, const int port) {
+ grpc_sockaddr_in address;
+ memset(&address, 0, sizeof(address));
+ address.sin_family = AF_INET;
+ address.sin_port = htons(port);
+ inet_pton(AF_INET, addr, &address.sin_addr);
+ grpc_resolved_address resolved;
+ memset(&resolved, 0, sizeof(resolved));
+ memcpy(resolved.addr, &address, sizeof(address));
+ resolved.len = sizeof(address);
+ return grpc_sockaddr_to_uri(&resolved);
+}
+
+} // namespace
+
+grpc_endpoint* CreateEvalArgsMockEndpoint(const char* local_address,
+ const int local_port,
+ const char* peer_address,
+ const int peer_port) {
+ EvalArgsMockEndpoint* m =
+ new EvalArgsMockEndpoint(NameAndPortToURI(local_address, local_port),
+ NameAndPortToURI(peer_address, peer_port));
+ return m->base();
+}
+
+} // namespace grpc_core
diff --git a/test/core/util/eval_args_mock_endpoint.h b/test/core/util/eval_args_mock_endpoint.h
new file mode 100644
index 00000000000..68b32cc891e
--- /dev/null
+++ b/test/core/util/eval_args_mock_endpoint.h
@@ -0,0 +1,31 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_TEST_CORE_UTIL_EVAL_ARGS_MOCK_ENDPOINT_H
+#define GRPC_TEST_CORE_UTIL_EVAL_ARGS_MOCK_ENDPOINT_H
+
+#include
+
+#include "src/core/lib/iomgr/endpoint.h"
+
+namespace grpc_core {
+
+grpc_endpoint* CreateEvalArgsMockEndpoint(const char* local_address,
+ const int local_port,
+ const char* peer_address,
+ const int peer_port);
+
+} // namespace grpc_core
+
+#endif // GRPC_TEST_CORE_UTIL_EVAL_ARGS_MOCK_ENDPOINT_H
diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal
index 69342b452a9..50a1f978c33 100644
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@@ -1710,6 +1710,12 @@ src/core/lib/json/json_writer.cc \
src/core/lib/profiling/basic_timers.cc \
src/core/lib/profiling/stap_timers.cc \
src/core/lib/profiling/timers.h \
+src/core/lib/security/authorization/authorization_engine.cc \
+src/core/lib/security/authorization/authorization_engine.h \
+src/core/lib/security/authorization/evaluate_args.cc \
+src/core/lib/security/authorization/evaluate_args.h \
+src/core/lib/security/authorization/mock_cel/activation.h \
+src/core/lib/security/authorization/mock_cel/cel_value.h \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/context/security_context.h \
src/core/lib/security/credentials/alts/alts_credentials.cc \
diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal
index c9aedb9b822..3b4fb2252d3 100644
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@@ -1537,6 +1537,12 @@ src/core/lib/json/json_writer.cc \
src/core/lib/profiling/basic_timers.cc \
src/core/lib/profiling/stap_timers.cc \
src/core/lib/profiling/timers.h \
+src/core/lib/security/authorization/authorization_engine.cc \
+src/core/lib/security/authorization/authorization_engine.h \
+src/core/lib/security/authorization/evaluate_args.cc \
+src/core/lib/security/authorization/evaluate_args.h \
+src/core/lib/security/authorization/mock_cel/activation.h \
+src/core/lib/security/authorization/mock_cel/cel_value.h \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/context/security_context.h \
src/core/lib/security/credentials/alts/alts_credentials.cc \
diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json
index 47188111351..756f75c9682 100644
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json
@@ -4313,6 +4313,30 @@
],
"uses_polling": true
},
+ {
+ "args": [],
+ "benchmark": false,
+ "ci_platforms": [
+ "linux",
+ "mac",
+ "posix",
+ "windows"
+ ],
+ "cpu_cost": 1.0,
+ "exclude_configs": [],
+ "exclude_iomgrs": [],
+ "flaky": false,
+ "gtest": true,
+ "language": "c++",
+ "name": "evaluate_args_test",
+ "platforms": [
+ "linux",
+ "mac",
+ "posix",
+ "windows"
+ ],
+ "uses_polling": true
+ },
{
"args": [],
"benchmark": false,